Apple Patch Day: 10 Holes Covered in Tiger, Leopard

The Mac OS X security train pulled into the patching station Feb. 11 with
fixes for a total of 10 vulnerabilities, including one that was first disclosed
more than a year ago during the Month of Apple Bugs project.

The megapatch-available
for both Tiger and Leopard users-covers holes that put Mac users at risk of
code execution, denial-of-service and information disclosure attacks. Eight of
the 10 vulnerabilities affect Mac OS X 10.5.2.

The bug, described as a stack buffer
overflow, exists in the SLP (Service Location Protocol) daemon, and can
execute arbitrary code with system privileges.

The patch batch also covers a serious flaw in the way the Safari browser
handles certain URLs. "Accessing a maliciously crafted URL may lead to an
application termination or arbitrary code execution," Apple warned,
chalking it up to a memory corruption issue. The vulnerability does not affect
systems prior to Mac OS X v10.5.

The Launch Services API, which is used to
open applications or their document files or URLs in a way similar to the
Finder or the Dock, is also being patched, in order to correct a bug that
causes an application to be launched via Time Machine backup even after it's
removed from the system.

The Mac OS X Mail client is also being patched to fix an implementation issue
in Mail's handling of "file://" URLs. "[This could] allow
arbitrary applications to be launched without warning when a user clicks a URL
in a message," Apple warned.
The Security Update also covers a gaping hole in Samba
that could lead to an
unexpected application termination or arbitrary code execution. The issue is a
stack buffer overflow in Samba when processing certain NetBIOS Name Service
requests.

"If a system is explicitly configured to allow 'domain log-ons,' an
unexpected application termination or arbitrary code execution could occur when
processing a request. Mac OS X Server systems configured as domain controllers
are also affected," Apple said.

A separate patch also covers a Terminal hole that could allow code execution
attacks from simply viewing a booby-trapped Web page. Apple described the issue
as an input validation error in the processing of URL schemes handled by
Terminal.app.